Thursday, July 20, 2017

Building a Content Security Policy configuration with CSP Auditor

This post was originally posted on GoSecure's blog

Content Security Policy - or CSP in short – is the latest milestone in browser XSS attack mitigation. Rather than relying on the browser's anti-XSS filter solely, it is now possible to instruct browsers to apply additional restrictions on external resources like Javascript. This is enforced via the CSP HTTP Headers. The true adoption of this standard will probably not happen before auto-generated and transparent CSP configuration become built-in to web frameworks. At the moment, manual work is still needed in most cases.
In this blog post, we discuss the basic strategy to integrate CSP into an existing website. It covers the theory and the new features of CSP Auditor. If you are not familiar with the tool or CSP, you can read our previous article.